Privacy Shield Framework Policy

Last Updated: October 4, 2017

MFXchange US, Inc. and its affiliates (collectively, “MFX”) complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU) and Switzerland to the United States. MFX has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, and to view our certification, please visit www.privacyshield.gov.

This Privacy Shield Framework Policy (this “Policy”) sets forth the privacy principles followed by MFX in connection with the transfer and protection of European Personal Data (as defined below) received from countries in the EU or Switzerland. This Policy describes how MFX handles European Personal Data from its customers in connection with the services provided by MFX. This Policy may be changed at any time in accordance with the requirements of the Privacy Shield Framework. The policy is available at the following link on our website: www.mfxservices.com/privacy-shield-policy. MFX also collects certain information from our Website visitors. More detail about what information we collect on our Website, how it is used, and each visitor’s rights and obligations may be found in MFX’s Privacy Policy which is located at www.mfxservices.com/privacy-policy.

Scope

This Statement governs European Personal Data transferred from countries in the EU or Switzerland to the United States on behalf of MFX or its customers. It applies to European Personal Data in electronic and off-line formats. “European Personal Data” means information that can directly or indirectly lead to the identification of a living person, such as an individual’s name, address, e-mail, telephone number, license number, social security number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity. European Personal Data does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.

MFX may receive European Personal Data from its customers for purposes of providing services to its customers. In connection with providing the services, MFX may collect passwords, user names, and other data from customer networks, which may incidentally include European Personal Data for the exclusive purposes of performing the services on behalf of its customers. At all times with respect to European Personal data collected on behalf of its customers, and not for any other purpose under US federal or state law, MFX acts as a mere “data processor” (as that term is defined under applicable EU or Swiss law or otherwise referred to under the Privacy Shield Framework as an “agent”).

Responsibility

You have a right to access any of your European Personal Data which MFX may collect or process. You also have a right to request that this data be corrected or removed from our servers.

Resolution of Complaints

In compliance with the Privacy Shield Principles, MFX commits to resolve complaints about our collection or use of your personal information.(EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact MFX at MFXchange US, Inc. Attention: Privacy Officer, 1140 US Hwy 22 East, Suite 201, Bridgewater, NJ 08807.)

MFX commits to cooperate with the International Centre for Dispute Resolution /American Arbitration Association (ICDR/AAA), http://go.adr/org/privacyshield.html in the event you do not receive acknowledgement of your inquiry or your inquiry has not been satisfactorily addressed.

The Federal Trade Commission has jurisdiction over MFX’s compliance with the Privacy Shield.

Other Disclosures

MFX may also disclose European Personal Data as necessary in connection with the sale or transfer of all or part of its business. MFX does not currently disclose our customers’ European Personal Data to third parties or use third parties for the purposes of processing European Personal Data. If such a situation were to occur in the future, and MFX were to disclose European Personal Data to any third parties acting as “agents” on behalf of MFX, MFX will require the recipient to protect the European Personal Data in accordance with the relevant principles of the Privacy Shield Framework, or otherwise take steps to ensure that the European Personal Data is appropriately protected. In the context of such an onward transfer, MFX has responsibility for the processing of European Personal Data it receives and subsequently transfers to a third party acting as an agent on its behalf. MFX shall remain liable under the Principles if its agent processes such European Personal Data in a manner inconsistent with the Principles, unless MFX proves that it is not responsible for the event giving rise to the damage. MFX may disclose European Personal Data where required or permitted by law, where MFX believes that such disclosures are appropriate in connection with a law enforcement request or otherwise permitted by the Privacy Shield Framework, or in order to investigate, prevent, or take action regarding illegal activities or suspected fraud, or enforce, administer or apply MFX’s agreements.

An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, see https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Questions

If you have any questions about this Policy, or if you would like to request access to European Personal Data that MFX may maintain about you, please contact MFX at Privacy@mfxfservices.com or in writing at:MFXchange US, Inc. Attention: Privacy Officer, 412 Mt Kemble Avenue, Suite 200 Morristown, NJ 07960.